Linked by Thom Holwerda on Tue 7th Mar 2006 15:27 UTC
Mac OS X An Apple Computer patch released last week doesn't completely fix a high-profile Mac OS X flaw, leaving a toehold for cyberattacks, experts said. The update added a function called 'download validation' to the Safari Web browser, Apple Mail client and iChat instant messaging tool. "While Apple added a checkpoint to the downloading and execution process, they did not eliminate this vulnerability," said Kevin Long, an analyst at security specialist Cybertrust and a Mac user for 11 years. "If a user can be tricked into opening a file that looks like a picture, the user may actually be opening a malicious script."
Order by: Score:
News Flash!
by tastytaste on Tue 7th Mar 2006 15:56 UTC
tastytaste
Member since:
2005-07-08

"Idiot computer users manage to break, infect and disable their machines despite manufacturers best efforts."

seriously, you deserve it if you download something and are told that it's a program then still open it thinking it's a picture (or movie, whatever) then are told that this application is being run for the first time, click OK and get screwed.

Reply Score: 2

RE: News Flash!
by MikeGA on Tue 7th Mar 2006 18:31 UTC in reply to "News Flash!"
MikeGA Member since:
2005-07-22

Yes but the problem is that if the file arrived by some other means, it would still be apper to be a real picture or movie file. However, the real solution to the problem would actually be very easy for Apple to implement:

At present if you open a document that will launch an application for the first time, OS X warns you that "you are about to run application XXX for the first time. Are sure you want to?"

This is because Launch Services has been told to open the file, and before doing so it performs a quick check.

So, all Apple has to do is extend Launch Services. Whenever the user opens an application, Lauch Services should perform a quick check to see if the app has been run before. If it hasn't then it can provide a nice dialog with words to the effect of:

The application you just launched has never been run before. If you think you are actually opening something that isn't an application, then it is highly likely it is malicious. Are you sure you want to run it?

There we go, simple as that ;)

Reply Score: 3

RE[2]: News Flash!
by stew on Tue 7th Mar 2006 18:52 UTC in reply to "RE: News Flash!"
stew Member since:
2005-07-06

Unfortunately, it's not that simple. A shell script is not considered an application but a text document that happens to be associated with Terminal.app.

The flaw in the system is not something technical but on the usability side - the user is being tricked into thinking that a certain file is an image, where in fact it's a script. That's a conceptual problem that Apple can't simply address in a small bugfix. What is needed is a way to show the actual file type (which is not necessarily the file name suffix) to the user, and as it stands right now, the only way of doing this in the Finder is to explicitly open the "Get Info..." window.

Edited 2006-03-07 18:56

Reply Score: 2

RE[3]: News Flash!
by elsewhere on Tue 7th Mar 2006 19:29 UTC in reply to "RE[2]: News Flash!"
elsewhere Member since:
2005-07-13

Unfortunately, it's not that simple. A shell script is not considered an application but a text document that happens to be associated with Terminal.app.

The flaw in the system is not something technical but on the usability side - the user is being tricked into thinking that a certain file is an image, where in fact it's a script. That's a conceptual problem that Apple can't simply address in a small bugfix. What is needed is a way to show the actual file type (which is not necessarily the file name suffix) to the user, and as it stands right now, the only way of doing this in the Finder is to explicitly open the "Get Info..." window.


I don't use OS X, but since it's BSD-based, does it rely on the executable bit being set before launching a file as as an app or a script?

If it's a data file, like an image or a movie, it can launch the helper app as expected, but if it's a script, shouldn't the terminal app be verifying it's executable? I'm sure most users wouldn't want to have to deal with chmod, but could a simplified method be implemented that would require users to explicity indicate a downloaded or transferred file should be executable? Done properly, I don't see that it would really impact usability.

I dunno, maybe I'm talking through my hat. Like I said, I'm not familiar with OS X in daily use, so it's just a thought as much as a question.

Reply Score: 2

RE[3]: News Flash!
by RenatoRam on Tue 7th Mar 2006 19:57 UTC in reply to "RE[2]: News Flash!"
RenatoRam Member since:
2005-11-14

It's a bit funny that gnome got this right before apple:

first, when launching a file it checks for the "real" file type using libmagic, and warns you if the extension and content do not match.

and second: a shell script is NOT executable until you set the +x bit yourself!

Reply Score: 3

RE[3]: News Flash!
by MikeGA on Wed 8th Mar 2006 09:19 UTC in reply to "RE[2]: News Flash!"
MikeGA Member since:
2005-07-22

Fair enough. But in which case, surely shell scripts are the terminals responsibility to handle securely then?

Reply Score: 1

RE[2]: News Flash!
by ApproachingZero on Wed 8th Mar 2006 06:56 UTC in reply to "RE: News Flash!"
ApproachingZero Member since:
2005-11-10

There we go, simple as that ;)

I want a real fix for this problem, not another "are you really really sure?" dialog box. The "are you sure you want to do this?" dialog box has been the standard security method in IE since its birth and look how well that worked.

Reply Score: 1

RE[3]: News Flash!
by MikeGA on Wed 8th Mar 2006 09:21 UTC in reply to "RE[2]: News Flash!"
MikeGA Member since:
2005-07-22

The reason this has been a problem in Internet Explorer is more due to the disconnection for the average user between the message and what they are doing. In this particular instance, it would be a lot clearer to the use just what is going on.

Reply Score: 1

RE: News Flash!
by dr_gonzo on Tue 7th Mar 2006 20:10 UTC in reply to "News Flash!"
dr_gonzo Member since:
2005-07-06

This is exactly the problem.

If Mac OS X only identified file types with libmagic instead of file extensions and somehow made it obvious on any icon that that file is executable then these vulnerabilities would not occur.

I have a bad feeling though that this issue won't properly be addressed until 10.5 when Finder will (hopefully) be given a makeover.

Reply Score: 1

Hardly a vulnerability
by mallard on Tue 7th Mar 2006 16:00 UTC
mallard
Member since:
2006-01-06

You can give a .exe a file icon on Windows and nobody classes that as a vulnerability, why is the same thing called a vulnerability on OS X?

I once gave a .exe file the correct icon and metadata to make it look like a Word document. (it was a joke "virus" written in VB, I don't write "real" malware)

Reply Score: 3

RE: Hardly a vulnerability
by croco on Tue 7th Mar 2006 16:30 UTC in reply to "Hardly a vulnerability"
croco Member since:
2005-09-16

> You can give a .exe a file icon on Windows and nobody classes that as a vulnerability, why is the same thing called a vulnerability on OS X?

And now rename your jokevirus.exe to jokevirus.jpg. Double click it. That's the difference. ;)

Reply Score: 5

RE[2]: Hardly a vulnerability
by mallard on Tue 7th Mar 2006 16:53 UTC in reply to "RE: Hardly a vulnerability"
mallard Member since:
2006-01-06

>> You can give a .exe a file icon on Windows and nobody classes that as a vulnerability, why is the same thing called a vulnerability on OS X?

>And now rename your jokevirus.exe to jokevirus.jpg. Double click it. That's the difference. ;)

Both systems hide the file extension by default.
In Windows, it is possible to spoof the metadata that is shown in tile view (but not the properties box or details pane).
If you right click in Windows, you get "Open" as the default action, just like with a real document. If you right-click/ctrl-click in OS X, you get "Open with SomeApp" or "Execute", so you can tell quite easily.

Therefore, the threat level seems about the same for each OS.

Reply Score: 4

RE[3]: Hardly a vulnerability
by cr8dle2grave on Tue 7th Mar 2006 17:21 UTC in reply to "RE[2]: Hardly a vulnerability"
cr8dle2grave Member since:
2005-07-11

_Therefore, the threat level seems about the same for each OS._

Yes, each is equally bad. Whoever at MS decided that hiding file extensions by default (actually even allowing them to be hidden at all) was a good thing deserves nothing less than smack across the head with a very thick clue stick.

Reply Score: 1

RE[4]: Hardly a vulnerability
by EmmEff on Tue 7th Mar 2006 17:28 UTC in reply to "RE[3]: Hardly a vulnerability"
EmmEff Member since:
2005-09-16

What difference does it make if the file extension is visible if you don't know the meaning of the extension in the first place?

My grandmother shouldn't have to worry that an EXE is disguised as a JPG, nor should she have to know what a EXE or JPG is in order to safely use a computer.

This whole idea that the user should know the difference is ignorant and unfounded.

Reply Score: 3

RE[5]: Hardly a vulnerability
by DJ Jedi Jeff on Tue 7th Mar 2006 17:35 UTC in reply to "RE[4]: Hardly a vulnerability"
DJ Jedi Jeff Member since:
2006-03-07

"This whole idea that the user should know the difference is ignorant and unfounded."

Where did the idea come from the users should expect to use a computer safely and securely, with 0% chance of risk to their computer or their data, without actually having an understanding of how their computer works?

That, to me, seems unfounded.

Reply Score: 5

RE[6]: Hardly a vulnerability
by kadymae on Tue 7th Mar 2006 18:05 UTC in reply to "RE[5]: Hardly a vulnerability"
kadymae Member since:
2005-08-02

without actually having an understanding of how their computer works?

How much of an understanding of how your car works do you have?

Yet ... so many safely drive without understanding how a 4 stroke internal combustion engine works and/or the planetary gear systems in their auto trans.

---

So, back on to the whole file names and extensions. Not only does the user have to recognize an alphabet soup of extensions, which may or may not give hints about what the file does, they then have to start learing that some of these arcane differences restict what can be done to the file.

For example

My husband is handed a file called paper.doc.

His old version of Word can't open it.

So I do a rename of of the file to paper.rtf or paper.txt and bingo, it works.

So now I am in the position of explaining to him why renaming IE6.exe to IE6.app won't let the program open on his mac. Or why changing the .doc on a word file to .pdf doesn't turn it into something Adobe reader wants to open and play nice with.

And he's still puzzled about why some times it works for some letters and not for others. Because to him (and thousands of others), a .doc .rtf .xls file is the program. That is, they don't understand that there's a huge difference between something called opera.exe and opera.html

'Cause they're both computer files, right?

I have to explain, at least twice a week, college students and sometimes even with internationally renown in their fields PHDs that while all programs are files, not all files are programs.

And you'd be amazed at the blank looks on faces.

Reply Score: 3

RE[7]: Hardly a vulnerability
by Tom K on Tue 7th Mar 2006 19:33 UTC in reply to "RE[6]: Hardly a vulnerability"
Tom K Member since:
2005-07-06

While not many people understand how an engine or automatic transmission work, people know enough about operating their car that they won't use both the brake and gas at the same time, not to swerve wildly around, and not to pop their tranny into reverse when doing 60 down the street.

The same applies to computers. They might not necessarily understand the concept of file extensions and file type assocations, but they should better damned understand that double-clicking files attached to email messages from people they don't know is dangerous for their computer, just like doing the above is dangerous for them/the car.

Reply Score: 2

RE[7]: Hardly a vulnerability
by chip_0 on Wed 8th Mar 2006 13:33 UTC in reply to "RE[6]: Hardly a vulnerability"
chip_0 Member since:
2005-07-12

Because to him (and thousands of others), a .doc .rtf .xls file is the program. That is, they don't understand that there's a huge difference between something called opera.exe and opera.html

Thats true and quite common among users. On my file manager, the default action on double clicking a file is to pop up a dialog, asking the user whether to execute the file (if possible) or to open it with a registered application. Users are generally a bit hesitant when faced with the dialog, but it gives a basic understanding of what "opening" a file involves.

I feel that a system which allows users to develop a basic understanding of its working is more reliable than something which completely abstracts its working. I am not talking about forcing the user to understant the complex implementation behind a process (i.e. filename to mimetype matching, mimetype handling and so on), but just some logical interpretation of the system. It helps avoiding the occasional problem (like this one) that users are bound to face.

Reply Score: 1

Your Grandmother...
by cr8dle2grave on Tue 7th Mar 2006 17:42 UTC in reply to "RE[4]: Hardly a vulnerability"
cr8dle2grave Member since:
2005-07-11

...has two choices: 1) learn what file extensions are, or 2) use an OS which limits flexibility in order to protect users from themselves. 2 is obviously the better solution for most users, which is why I would recommend it. In this case it would mean that any icon representing any file associated with the shell should have some kind of clear indication of that fact (like a big ugly terminal badge). Further, any executable file needs to be have a similar badge on it which will clearly indicate to the user that clicking on it will launch an executable rather than opening the file in another program.

This whole idea that the user should know the difference is ignorant and unfounded.

No. The idea that a computer should be useable with no instruction whatsoever is ignorant and unfounded and is futher the cause of many desktop security problems. It's a tool, and if you can't be arsed to learn how to use it, just as we expected to how to use most tools, than you shouldn't be using it at all.

Reply Score: 1

RE[5]: Hardly a vulnerability
by Maners on Tue 7th Mar 2006 20:54 UTC in reply to "RE[4]: Hardly a vulnerability"
Maners Member since:
2005-07-26

According to your logic, all car manufacturers should cut out all the trees growing nearby the roads because the user (driver) should't have to know than when he hits it he'll die...

The purpose of the OS is to make it possible to easily interact with the hardwareand software, but not think for the user.

Reply Score: 1

alcibiades
Member since:
2005-10-12

I am having the perhaps ungenerous thought that while Apple is an interesting company, and OSX an interesting operating system, one can finally have too many stories in too much detail on even the most interesting of subjects....

Reply Score: 3

The level of denial is amazing
by cr8dle2grave on Tue 7th Mar 2006 17:15 UTC
cr8dle2grave
Member since:
2005-07-11

This vulnerability is serious, very serious. It is not just a problem for "dumb users". Kudos to Apple for getting a fix out quickly which closes off the worst attack vector (simply clicking on a link in Safari will longer pass along arbitrary data to the shell interpreter), but the underlying cause of the problem still remains.

The real problem is related to the Mac behavior which allows for a file association to be set on an individual file that then overrides the global file association settings. In order for a user to behave intelligently, the OS must first behave consistently and, while per file associations can be useful on an individual computer, I do not believe there is any feasible way to make this kind of behavior secure in the context of a public network. In order to be a well behaved users I must be able to count on the OS doing the exact same thing every time in response to same action. If I launch an "image file"--whether it is a real image file or a fake should be irrelevant here--it should invoke the default image viewer. Per file associations can be secure so long as they hold only within the context of a single machine, but tying that unique association to the file itself (actually the hidden resource directory) is an inherently insecure practice which will continue to result in security problems.

Perhaps there is a compromise position between allowing per file associations and not allowing them at all. Certain programs (eg., the shell, the apple script interpreter, etc...) could be excluded from the list of executables which the OS allows to be associated with an individual file. That way you could still set an individual html file to open in an editor rather than in the default browser, but nothing could be associated with shell except as set in the global file associations. Still not very secure behavior, but better.

Reply Score: 4

DJ Jedi Jeff Member since:
2006-03-07

And what do you propose as the alternative? I do not want to have to put a file extension on every one of my files and be restricted to that. For instance, I have many PDFs that have to be opened in Adobe Reader due to form data being present. Most other PDFs I want to open in Preview because it's faster. I fail to see how I can accomplish this without per-file associations. The same is true for many other document types.

I understand your suggestion but I don't think it would solve the whole problem. As long as I can have a file called "abc.jpg" be a shell script or an app, there is the potential for mischief. Should Apple disallow the use of periods in file names of apps and shell scripts? Then we would just see "abc,jpg" and have essentially the same problem. Apple could force apps and scripts to have a certain extension, but that's quite a major undertaking (particularly on the script side).

There are no easy answers. If you want to call this a vulnerability, that's fine. It's probably not fair to call the OS flawed because of this, though. That's like saying my house is flawed because it's vulnerable to small arms fire. At some point, tradeoffs have to be made.

Reply Score: 2

Alternatives?
by cr8dle2grave on Tue 7th Mar 2006 19:21 UTC in reply to "RE: The level of denial is amazing"
cr8dle2grave Member since:
2005-07-11

I really think the best option is to limit the per file association to the computer where it was set. Thus if a file were to be sent by email, zipped, transferred to shared network drive, or put on a thumb drive it would then revert to opening with the default application on any computer where the unique association wasn't explicitly set. Maybe I'm a purist, but I think it is absolutely crucial that your computer behave predictably, which means that if your OS is going to treat a file as an image file, video file, or text file then it should predicatbly treat them like every other image, video, or text file unless explicitly instructed to do otherwise.

Apple might also be able to require than all scripts have a proper file extension (sh, py, pl, etc...) in order to be lauched by the GUI.

Reply Score: 2

RE: Alternatives?
by Peragrin on Tue 7th Mar 2006 21:52 UTC in reply to "Alternatives?"
Peragrin Member since:
2006-01-05

But that limits how things are sent. most downloaded OS X apps are DMG. Disk images. They get mounted to the file system and a new finder window then opens. most use a custom background and locations so showcase off their wares.(if you run OS X download the Fire IM client)

Reply Score: 1

RE[2]: Alternatives?
by cr8dle2grave on Tue 7th Mar 2006 22:20 UTC in reply to "RE: Alternatives?"
cr8dle2grave Member since:
2005-07-11

But that's for apps, yes? I'm talking about how OS X handles the file associations for plain old files.

Reply Score: 1

sandbox
by Thom_Holwerda on Tue 7th Mar 2006 18:25 UTC
Thom_Holwerda
Member since:
2005-06-29

Wouldn't it be possible to create a sort of sandbox for files downloaded off of the internet? Say I receive 'photo.jpg' that actually happens to be a malicious script. Would it be possible for Apple to implement some sort of simulated open/execute chain?

Instead of actually *really* opening the file (and thus running the terminal + malicious script) it performs a simulated run of the script, and then makes an assertion about whether or not the file is dangerous, using the output of the script?

I'm having a hard time explaining this, so you may need to read this 3 times before you get me :/.

Reply Score: 5

RE: sandbox
by spikeb on Tue 7th Mar 2006 18:36 UTC in reply to "sandbox"
spikeb Member since:
2006-01-18

that's a brilliant idea

Reply Score: 1

RE: sandbox
by croco on Tue 7th Mar 2006 18:49 UTC in reply to "sandbox"
croco Member since:
2005-09-16

Isn't it what anti-virus software should do? I think that some windows av-tools doing exactly this kind of stuff already (dr.web for example).

Reply Score: 1

RE[2]: sandbox
by spikeb on Wed 8th Mar 2006 00:56 UTC in reply to "RE: sandbox"
spikeb Member since:
2006-01-18

the os itself should do it, though. seems like kind of a no brainer

Reply Score: 1

Apple needs to make a choice
by anonymous-bert on Tue 7th Mar 2006 19:28 UTC
anonymous-bert
Member since:
2006-02-16

The problem exists due to OSX determining execution type by meta-data and display type by file extension. Hence how you can have a shell script with a jpeg icon.

To me, the solution is simple, keep the execution type to meta data. If absent meta data set execution type to file extension. Set the display type to meta-data, if absent meta data set display type to file extension.

This way, the user will always see the execution representation and the system maintains its granularity. A user can still make a shell script look like an image file, but the script would then be handled by the system as an image.

Bert

Reply Score: 1

Last paragraph
by PCheese on Tue 7th Mar 2006 19:58 UTC
PCheese
Member since:
2005-07-24

Such security issues are, of course, not exclusive to the Mac. If a user can be tricked into downloading and opening a file, that user's system can be compromised. "This is true regardless of the operating system being used. It is a universal vulnerability," Long said.

Reply Score: 1

hmm
by poundsmack on Tue 7th Mar 2006 21:11 UTC
poundsmack
Member since:
2005-07-13

the truth of the matter is no matter how sercure you make an operating system if you dont first have the users educated properly on what not to do they will find a way to make it unsecure. my mother for example sees pop ups that say "want to protect yourself from spyware (in windows)" and thinks its a god idea to click it. why? because she doesnt know any better, (and she is an idiot. but we will forget about that for the time being). "make it idiot proof and somebody will make a better idoot."

Reply Score: 3

RE:News Flash!
by netpython on Tue 7th Mar 2006 22:57 UTC
netpython
Member since:
2005-07-06

seriously, you deserve it if you download something and are told that it's a program then still open it thinking it's a picture (or movie, whatever) then are told that this application is being run for the first time, click OK and get screwed.

I'm afraid that's not the whole picture.
Todays browsers are little OS's themself.Without any user intervention,all that needed is clicking a link and you are screwed.

Reply Score: 1

Much Ado About Nothing
by pixelmutt on Wed 8th Mar 2006 00:21 UTC
pixelmutt
Member since:
2006-03-06

'Much Ado About Nothing'
so sez Billy S.

Reply Score: 1

Jesus Christ!
by kaiwai on Wed 8th Mar 2006 01:26 UTC
kaiwai
Member since:
2005-07-06

Please, when is it going to get to the point that PERSONAL RESPONSIBILITY starts to take course, and the liability for peoples stupidity, in regards to businesses, finish.

Reply Score: 1